Backdoor.Linux.NEKO.AB

July 31, 2019

Analysis by: Patrick Angelo Roderno

ALIASES:

HEUR:Trojan.Linux.Agent.fy (KASPERSKY); ELF:Hajime-R [Trj] (AVAST)

PLATFORM:

Linux

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

INFORMATION EXPOSURE:

Threat Type: Backdoor
Destructiveness: No
Encrypted: No
In the wild: Yes

OVERVIEW

Infection Channel: Downloaded from the Internet

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It takes advantage of certain vulnerabilities.

TECHNICAL DETAILS

File Size: 44,232 bytes

File Type: ELF

Memory Resident: No

Initial Samples Received Date: 22 Jul 2019

Payload: Connects to URLs/IPs, Terminates processes, Exploits vulnerabiltiies

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

Execute shell command
Kill specified processes
Launch UDP flood
Run scanner function and propagate via exploit
Change CnC

It connects to the following URL(s) to send and receive commands from a remote malicious user:

{BLOCKED}.{BLOCKED}.25.200

Process Termination

This Backdoor terminates the following malware-related processes:

902i13
BzSxLxBxeY
HOHO-LUGO7
HOHO-U79OL
JuYfouyf87
NiGGeR69xd
SO190Ij1X
LOLKIKEEEDDE
Ex0420
ekjheory98e
rzr
EXTENDO
scansh4
MDMA
fdevalvex
scanspc
MELTEDNINJAREALZ
flexsonskids
scanx86
MISAKI-U79OL
foAxi102kxe
swodjwodjwoj
MmKiy7f87l
freecookiex86
sysgpu
frgege
sysupdater
0DnAzepd
NiGGeRD0nks69
frgreu
0x766f6964
NiGGeRd0nks1337
gaft
urasgbsigboa
120i3UI49
OaF3
geae
vaiolmao
123123a
Ofurain0n4H34D
ggTrex
ew
wasads
1293194hjXD
OthLaLosn
ggt
wget-log
cupsddh
1337SoraLOADER
SAIAKINA
atddd
sksapdd
ggtq
1378bfp919GRB1Q2
SAIAKUSO
skysapdd
ggtr
14Fa
SEXSLAVE1337
ggtt
1902a3u912u3u4
haetrghbr
19ju3d
SORAojkf120
hehahejeje92
2U2JDJA901F91
SlaVLav12
helpmedaddthhhhh
2wgg9qphbq
Slav3Th3seD3vices
hzSmYZjYMQ
5Gbf
sora
SoRAxD123LOL
iaGv
5aA3
SoRAxD420LOL
insomni
640277
SoraBeReppin1337
ipcamCache
66tlGg9Q
6ke3
TOKYO3
lyEeaXul2dULCVxh
93OfjHZ2z
TY2gD6MZvKc7KU6r
mMkiy6f87l
A023UU4U24UIU
TheWeeknd
mioribitches
A5p9
TheWeeknds
mnblkjpoi
AbAd
Tokyos
neb
Akiru
U8inTz
netstats
Alex
W9RCAKM20T
newnetword
Ayo215
g1abc4dmo35hnp2lie0kjf
Word
nloads
BAdAsV
Wordmane
notyakuzaa
Belch
Wordnets
obp
BigN0gg0r420
X0102I34f
ofhasfhiafhoi
X19I239124UIU
oism
8Deported
XSHJEHHEIIHWO
olsVNwo12
DeportedDeported
XkTer0GbA1
onry0v03
FortniteDownLOLZ
Y0urM0mGay
pussyfartlmaojk
GrAcEnIgGeRaNn
YvdGkqndCO
qGeoRBe6BE
GuiltyCrown
ZEuS69
s4beBsEQhd
HOHO-KSNDO
ZEuz69
sat1234
aj93hJ23
scanHA
alie293z0k2L
scanJoshoARM
HellInSide
ayyyGangShit
scanJoshoARM5
HighFry
b1gl
scanJoshoARM6
IWhPyucDbJ
boatnetz
scanJoshoARM7
IuYgujeIqn
btbatrtah
scanJoshoM68K
JJDUHEWBBBIB
scanJoshoMIPS
JSDGIEVIVAVIG
cKbVkzGOPa
scanJoshoMPSL
ccAD
scanJoshoPPC
KAZEN-OIU97
chickenxings
scanJoshoSH4
yakuskzm8
KAZEN-PO78H
cleaner
scanJoshoSPC
KAZEN-U79OL
dbeef
scanJoshoX86
yakuz4c24
KETASHI32
ddrwelper
scanarm5
zPnr6HpQj2
Kaishi-Iz90Y
deexec
scanarm6
zdrtfxcgy
Katrina32
doCP3fVj
scanarm7
zxcfhuio
Ksif91je39
scanm68k
Kuasa
dvrhelper
scanmips
KuasaBinsMate
eqnOhRk8s
scanmpsl
LOLHHHOHOHBUI
eXK20CL12Z
nya
mezy
QBotBladeSPOOKY
hikariwashere
p4029x91xx
32uhj4gbejh
zhr
lzrd
PownedSecurity69
.ares
fxlyazsxhy
jnsd9sdoila
yourmomgaeis
sdfjiougsioj
Oasis
SEGRJIJHFVNHSNHEIHFOS
apep999
KOWAI-BAdAsV
KOWAI-SAD
jHKipU7Yl
airdropmalware
your_verry_fucking_gay
Big-Bro-Bright
sefaexec
shirololi
eagle.
For-Gai-Mezy
0x6axNL
cloqkisvspooky
myth
SwergjmioG
KILLEJW(IU(JIWERGFJGJWJRG
Hetrh
APEP
wewrthe
IuFdKssCxz
jSDFJIjio
OnrYoXd666
ewrtkjoketh
ajbdf89wu823
AAaasrdgs
REKAI
WsGA4@F6F
GhostWuzHere666
BOGOMIPS
sfc6aJfIuY
Demon.
xeno-is-god
ICY-P-0ODIJ
gSHUIHIfh
wrgL
hu87VhvQPz
dakuexecbin
TacoBellGodYo
loligang
PRIVMSG
Execution
orbitclient
Amnesia
Owari
UnHAnaAW
DUP
Eats8
z3hir
obbo
miori
eagle
MASUTA
doxxRollie
WHOIS
KILLATTK
daddyl33t
lessie.
1gba4cdom53nhp12ei0kfj
9u123448u124au814d4x10
hax.
yakuza
wordminer
v[0v
minerword
SinixV4
hoho
g0dbu7tu
orphic
furasshu
horizon
assailant
Ares
Kawaiihelper
ECHOBOT
DEMONS
kalon
Josho
daddyscum
akira.ak
Hilix
daku
Tsunami
estella
Solar
rift
_-255.Net
Cayosin
Okami
Kosha
bushido
trojan
shiina
Reaper.
Corona.
wrgnuwrijo
Aka
Hari
orage
fibre
galil
stresserpw
stresser.pw
Tohru
Omni
kawaii
Frosti
sxj472sz
HU6FIZTQU
PFF1500RG
plzjustfuckoff
nvitpj
elfLoad
Amakano
tokupdater
/dev/netslink/
/dev/FTWDT101_watchdog
cum-n-go
oblivion
Voltage
Votan
.anime
scanppc

Other Details

This Backdoor takes advantage of the following vulnerabilities:

SOLUTION

Minimum Scan Engine: 9.850

FIRST VSAPI PATTERN FILE: 15.252.02

FIRST VSAPI PATTERN DATE: 23 Jul 2019

VSAPI OPR PATTERN File: 15.253.00

VSAPI OPR PATTERN Date: 24 Jul 2019

Scan your computer with your Trend Micro product to delete files detected as Backdoor.Linux.NEKO.AB. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:

Did this description help? Tell us how we did.